n10-Creating-new-role-for-administration (#2350)

* n10-Creating-new-role-for-administration

* Adding-role-in-meta-tasks

* Moving-swag-file

* Moving-swag-file-2

* Changing-from-swagger-file-to-text

* Adding-API-lookup-prior-to-creation

* Adding-API-lookup-prior-to-creation-2

* Adding-API-lookup-prior-to-creation-3

* Adding-API-lookup-prior-to-creation-4

* Adding-API-lookup-prior-to-creation-5

* Adding-API-lookup-prior-to-creation-6

* Adding-API-lookup-prior-to-creation-7

* Updating-tasks

* Updating-tasks

* Updating-tasks-2

* Updating-tasks-3

* Updating-tasks-4

* Updating-tasks-4

* Updating-tasks-5

* Updating-tasks-6

* Updating-tasks-7

* Adding-for-loop-for-lambda-functions

* Adding-for-loop-for-lambda-functions-2

* Adding-for-loop-for-lambda-functions-3

* Adding-for-loop-for-lambda-functions-4

* Adding-for-loop-for-lambda-functions-5

* Adding-for-loop-for-lambda-functions-6

* Adding-for-loop-for-lambda-functions-7

* Adding-for-loop-for-lambda-functions-8

* Adding-for-loop-for-lambda-functions-9

* Adding-for-loop-for-lambda-functions-10

* Adding-for-loop-for-lambda-functions-11

* Switching-role-to-use-aws-cli

* Switching-role-to-use-aws-cli-2

* Switching-role-to-use-aws-cli-3

* Switching-role-to-use-aws-cli-4

* Switching-role-to-use-aws-cli-5

* New-admin-tools-role

* New-admin-tools-role-2

* New-admin-tools-role-3

* New-admin-tools-role-4

* New-admin-tools-role

* New-admin-tools-role-2

* New-admin-tools-role-3

* New-admin-tools-role-4

* New-api_admin_tools-role

* Updating-defaults

---------

Co-authored-by: Matej Stajduhar <[email protected]>

Author: matej5

ce-dev/ansible/vars/provision/galaxy-requirements.yml

@@ -2,8 +2,8 @@
 roles:
   - name: geerlingguy.solr
   - name: geerlingguy.java
-  - name: cloudalchemy.process_exporter
-  - name: cloudalchemy.grafana
+  - name: prometheus.prometheus.process_exporter
+  - name: grafana.grafana.grafana
 collections:
   - name: community.grafana
   - name: prometheus.prometheus

roles/_meta/aws_region/meta/main.yml

@@ -8,3 +8,4 @@ dependencies:
   - role: aws/aws_cloudwatch_log_group
   - role: aws/aws_backup
   - role: aws/aws_backup_sns
+  - role: aws/aws_admin_tools

roles/aws/aws_acl/defaults/main.yml

@@ -6,6 +6,7 @@ aws_acl:
     region: "us-east-1"
     tags: "{{ _aws_tags }}"
     recreate: false # set to true to creating the ACL
+    default_action: "Allow" # Default action if no rules are triggered, can be Block
     rules:
       rate_limit:
         value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking

roles/aws/aws_acl/tasks/create_acl.yml

@@ -92,7 +92,7 @@
     description: "{{ _acl.description }}"
     scope: "{{ _acl.scope }}"
     region: "{{ _acl.region }}"
-    default_action: Allow # or "Block"
+    default_action: "{{ _acl.default_action }}" # or "Block"
     sampled_requests: false
     cloudwatch_metrics: true # or "false" to disable metrics
     metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name)

roles/aws/aws_admin_tools/defaults/main.yml

@@ -0,0 +1,18 @@
+aws_admin_tools:
+  runtime: "python3.12"
+  timeout: 20
+  allowed_ips:
+    - 192.168.1.1/32 # Ip of server with access to API-s
+  functions:
+    - name: "GetForecastedCosts"
+      type: GET
+      policies:
+        - "arn:aws:iam::{{ _acc_id }}:policy/CEBillingPolicy" # Custom policy
+    - name: "ChangeASGScaling"
+      type: POST
+      policies:
+        - arn:aws:iam::aws:policy/AmazonEC2FullAccess
+    - name: "GetListOfEC2"
+      type: GET
+      policies:
+        - arn:aws:iam::aws:policy/AmazonEC2FullAccess

roles/aws/aws_admin_tools/tasks/create.yml

@@ -0,0 +1,74 @@
+- name: Create stage on API gateway.
+  ansible.builtin.command: >-
+    aws apigateway create-stage
+    --rest-api-id "{{ _api_gate.id }}"
+    --stage-name "prod"
+    --deployment-id "{{ _main_api_deploy.id }}"
+    --region "{{ _aws_region }}"
+  register: _main_api_stage
+  when: _api_index | length == 0
+
+- name: Create resources and set methods on API Gateway.
+  ansible.builtin.include_tasks: create_methods.yml
+  loop: "{{ aws_admin_tools.functions }}"
+
+- name: Obtain all information for a single WAF.
+  community.aws.wafv2_web_acl_info:
+    name: "{{ _aws_profile }}_admin_tools"
+    scope: "REGIONAL"
+    region: "{{ _aws_region }}"
+  register: _main_waf
+
+- name: Get list of API gateway resources.
+  ansible.builtin.command: >-
+    aws apigateway get-resources
+    --region "{{ _aws_region }}"
+    --rest-api-id "{{ _api_gate.id }}"
+  register: _api_res_list
+
+- name: Setting previous command output into variable.
+  ansible.builtin.set_fact:
+    _api_res_list: "{{ _api_res_list.stdout | from_json | json_query('items') }}"
+
+- name: Get index of DelMe resource from API gateway.
+  ansible.builtin.set_fact:
+    _api_res_index_list: "{{ lookup('ansible.utils.index_of', _api_res_list, 'eq', '/DelMe', 'path', wantlist=True) }}"
+  when: _api_index | length == 0
+
+- name: Delete the initial resource.
+  ansible.builtin.command: >-
+    aws apigateway delete-resource
+    --rest-api-id "{{ _api_gate.id }}"
+    --resource-id "{{ _api_res_list[_api_res_index_list[0]].id }}"
+    --region "{{ _aws_region }}"
+  when: _api_index | length == 0
+
+- name: Deploy API gateway prior to attaching WAF.
+  ansible.builtin.command: >-
+    aws apigateway create-deployment
+    --rest-api-id "{{ _api_gate.id }}"
+    --stage-name "prod"
+    --region "{{ _aws_region }}"
+
+- name: Add API gateway to waf.
+  community.aws.wafv2_resources:
+    name: "{{ _aws_profile }}_admin_tools"
+    scope: REGIONAL
+    state: present
+    region: "{{ _aws_region }}"
+    arn: "arn:aws:apigateway:{{ _aws_region }}::/restapis/{{ _api_gate.id }}/stages/prod"
+
+- name: Generate unique string.
+  ansible.builtin.set_fact:
+    _rand_str: "{{ lookup('community.general.random_string', length=8, special=false, min_lower=2, min_numeric=2, min_upper=2) }}"
+
+- name: Update Lambda triggers.
+  ansible.builtin.command: >-
+    aws lambda add-permission
+    --function-name "API_{{ item.name }}"
+    --statement-id "{{ item.name }}_{{ _rand_str }}"
+    --action "lambda:InvokeFunction"
+    --principal apigateway.amazonaws.com
+    --source-arn arn:aws:execute-api:{{ _aws_region }}:{{ _acc_id }}:{{ _api_gate.id }}/*/{{ item.type }}/{{ item.name }}
+    --region {{ _aws_region }}
+  loop: "{{ aws_admin_tools.functions }}"

roles/aws/aws_admin_tools/tasks/create_methods.yml

@@ -0,0 +1,80 @@
+- name: Get resources.
+  ansible.builtin.command: >-
+    aws apigateway get-resources
+    --rest-api-id "{{ _api_gate.id }}"
+    --region "{{ _aws_region }}"
+  register: _api_old_resource
+
+- name: Setting previous command output into variable.
+  ansible.builtin.set_fact:
+    _api_old_resource: "{{ _api_old_resource.stdout | from_json }}"
+
+- name: Find the index of existing resource.
+  ansible.builtin.set_fact:
+    _api_old_resource_index: "{{ lookup('ansible.utils.index_of', _api_old_resource['items'], 'eq', '/' + item.name, 'path', wantlist=True) }}"
+
+- name: Delete resource.
+  ansible.builtin.command: >-
+    aws apigateway delete-resource
+    --rest-api-id "{{ _api_gate.id }}"
+    --resource-id "{{ _api_old_resource['items'][_api_old_resource_index[0]].id }}"
+    --region "{{ _aws_region }}"
+  register: _api_old_resource
+  when: _api_old_resource_index | length > 0
+
+- name: Create resource on API gateway.
+  ansible.builtin.command: >-
+    aws apigateway create-resource
+    --rest-api-id "{{ _api_gate.id }}"
+    --parent-id "{{ _api_res_list[_api_res_index_list[0]].id }}"
+    --path-part "{{ item.name }}"
+    --region "{{ _aws_region }}"
+  register: _api_resource
+
+- name: Setting previous command output into variable.
+  ansible.builtin.set_fact:
+    _api_resource: "{{ _api_resource.stdout | from_json }}"
+
+- name: Put method on API gateway
+  ansible.builtin.command: >-
+    aws apigateway put-method
+    --rest-api-id "{{ _api_gate.id }}"
+    --resource-id "{{ _api_resource.id }}"
+    --http-method "{{ item.type }}"
+    --authorization-type "NONE"
+    --no-api-key-required
+    --region "{{ _aws_region }}"
+
+- name: Add Lambda for method.
+  ansible.builtin.command: >-
+    aws apigateway put-integration
+    --rest-api-id "{{ _api_gate.id }}"
+    --resource-id "{{ _api_resource.id }}"
+    --http-method "{{ item.type }}"
+    --type AWS
+    --content-handling CONVERT_TO_TEXT
+    --request-templates '{ "application/json": "{\"statusCode\": 200}" }'
+    --integration-http-method POST
+    --uri "arn:aws:apigateway:{{ _aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:API_{{ item.name }}/invocations"
+    --region {{ _aws_region }}
+
+- name: Add method response.
+  ansible.builtin.command: >-
+    aws apigateway put-method-response
+    --rest-api-id "{{ _api_gate.id }}"
+    --resource-id "{{ _api_resource.id }}"
+    --http-method "{{ item.type }}"
+    --status-code "200"
+    --response-models '{"application/json":"Empty"}'
+    --region {{ _aws_region }}
+
+- name: Add integration response.
+  ansible.builtin.command: >-
+    aws apigateway put-integration-response
+    --rest-api-id "{{ _api_gate.id }}"
+    --resource-id "{{ _api_resource.id }}"
+    --http-method "{{ item.type }}"
+    --status-code "200"
+    --selection-pattern ""
+    --content-handling "CONVERT_TO_TEXT"
+    --region {{ _aws_region }}

roles/aws/aws_admin_tools/tasks/create_mock.yml

@@ -0,0 +1,42 @@
+- name: Create MOCK resource on API gateway.
+  ansible.builtin.command: >-
+    aws apigateway create-resource
+    --rest-api-id "{{ _api_gate.id }}"
+    --parent-id "{{ _api_res_list[_api_res_index_list[0]].id }}"
+    --path-part "DelMe"
+    --region "{{ _aws_region }}"
+  register: _api_resource
+
+- name: Setting command output into variable.
+  ansible.builtin.set_fact:
+    _api_resource: "{{ _api_resource.stdout | from_json }}"
+
+- name: Put method on API gateway.
+  ansible.builtin.command: >-
+    aws apigateway put-method
+    --rest-api-id "{{ _api_gate.id }}"
+    --resource-id "{{ _api_resource.id }}"
+    --http-method "GET"
+    --authorization-type "NONE"
+    --no-api-key-required
+    --region "{{ _aws_region }}"
+
+- name: Add mock integration.
+  ansible.builtin.command: >-
+    aws apigateway put-integration
+    --rest-api-id "{{ _api_gate.id }}"
+    --resource-id "{{ _api_resource.id }}"
+    --http-method GET
+    --type MOCK
+    --region {{ _aws_region }}
+
+- name: Create initial deployent for API gateway.
+  ansible.builtin.command: >-
+    aws apigateway create-deployment
+    --rest-api-id "{{ _api_gate.id }}"
+    --region "{{ _aws_region }}"
+  register: _main_api_deploy
+
+- name: Setting command output into variable.
+  ansible.builtin.set_fact:
+    _main_api_deploy: "{{ _main_api_deploy.stdout | from_json }}"

roles/aws/aws_admin_tools/tasks/lambda_functions.yml

@@ -0,0 +1,48 @@
+- name: Create S3 bucket for lambda functions.
+  amazon.aws.s3_bucket:
+    name: "{{ _aws_profile }}-lambda-api-functions"
+    region: "{{ _aws_region }}"
+    state: present
+
+- name: Check and clean any previous python files.
+  ansible.builtin.file:
+    path: "/tmp/{{ item.name }}.py"
+    state: absent
+
+- name: Write Lambda functions.
+  ansible.builtin.template:
+    src: "API_{{ item.name }}.py.j2"
+    dest: "/tmp/API_{{ item.name }}.py"
+
+- name: Create a zip archive of Lambda functions.
+  community.general.archive:
+    path: "/tmp/API_{{ item.name }}.py"
+    dest: "/tmp/API_{{ item.name }}.zip"
+    format: zip
+
+- name: Place Lambda functions in S3 bucket.
+  amazon.aws.s3_object:
+    bucket: "{{ _aws_profile }}-lambda-api-functions"
+    object: "lambda-functions/API-{{ item.name }}.zip"
+    src: "/tmp/API_{{ item.name }}.zip"
+    mode: put
+
+- name: Get appropriate IAM role for Lambda.
+  amazon.aws.iam_role_info:
+    name: "API_{{ item.name }}"
+  register: _iam_api_lambda
+
+- name: Create Lambda functions.
+  amazon.aws.lambda:
+    name: "API_{{ item.name }}"
+    description: "Lambda function for {{ item.name }}"
+    region: "{{ _aws_region }}"
+    timeout: "{{ aws_admin_tools.timeout }}"
+    s3_bucket: "{{ _aws_profile }}-lambda-api-functions"
+    s3_key: "lambda-functions/API-{{ item.name }}.zip"
+    state: present
+    runtime: "{{ aws_admin_tools.runtime }}"
+    role: "{{ _iam_api_lambda.iam_roles[0].arn }}"
+    handler: "API_{{ item.name }}.lambda_handler"
+    tags:
+      Name: "API_{{ item.name }}"

roles/aws/aws_admin_tools/tasks/lambda_iam.yml

@@ -0,0 +1,9 @@
+- name: Attach CloudWatch policy.
+  ansible.builtin.set_fact:
+    _policies: "{{ item.policies + ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'] }}"
+
+- name: Create a role and attach policies.
+  amazon.aws.iam_role:
+    name: "API_{{ item.name }}"
+    assume_role_policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}"
+    managed_policies: "{{ _policies }}"